TPM-backed SSL

This is a short howto on setting up TPM-backed SSL. This means that
the secret key belonging to an SSL cert is protected by the TPM and
cannot be copied off of the machine or otherwise inspected.

Meaning even if you get hacked the attackers cannot impersonate you,
if you manage to kick them off or just shut down the server. The
secret key is safe. It has never been outside the TPM and never will
be.

This can be used for both client and server certs.

Prerequisites

A TPM chip. Duh. May need to be turned on in the BIOS. Could be
called “security chip” or something. If you don’t have a TPM chip
but still want to follow along (maybe add TPM support to some
program) then you can install a TPM emulator. See links at the end
on how to install a TPM emulator.

A working CA that will sign your CSR. I will assume you’re
running your own CA, but you can send the CSR to someone else
to sign if you want cert creating step.

Yes really, empty password. This password protects TPM operations, so
worst case is that someone with shell access can put some load on your
TPM chip. They can’t use it to crack keys or anything. This is not a
password that protects your secrets, they’re already secure. You may
want to supply an owner password. If so, leave out the -y option.

Use in the real world

Huh. I haven’t actually seen this implemented in any Open Source
software (besides the openssl command line interface) Well, actually
curl and stunnel4 appear that they could support it, but it’s not
clear
how. Here
is someone else wondering how to get stunnel to do it. It’s from 2006
with no replies.

The only thing I have that uses the TPM chip is my Chromebook. Client
certs there are protected by it by default.

Please leave comments if you know of any TPM support in Open Source
stuff.

tlssh

I have added support for tlssh
to use TPM on both the server and client side. Add -E tpm on the
client side, and have something like this on the server side config
(or only on one side. There’s no requirement that both sides use TPM):

PrivkeyEngine tpm
TpmSrkPassword
PrivkeyPassword secretpasswordhere

That last line is just needed if the key has a password. The client
can be configured in the same way to not have to ask for the
passwords.

If PrivkeyEngine tpm or -E tpm is supplied the secret key will be
assumed to be TPM protected and should be in the form of a BEGIN TSS
KEY BLOB section instead of a PEM format BEGIN RSA PRIVATE KEY
section.

Performance

Oh, it’s slow. Really slow. Luckily it’s just used in the handshake.
I haven’t done proper benchmarks, but let’s just say you won’t be
using it to power your webmail. I may do some benchmarking in a coming
blog post.

Update: It can do about 1.4 connections per second.

Misc notes

The .key file for the TPM-backed cert contains the secret key
encrypted with something that’s in the TPM. It’s not usable without
the exact same TPM chip.

You can choose to create a key in the normal way and then “convert”
it to a TPM-backed key. It’s not as secure since you can’t say the
key was never stored outside the TPM chip, but use the -w switch
to create_tpm_key if you want to do this.

OpenSSL is probably the most horrible, disgusting, undocumented crap
library I’ve ever seen. Some of this can be blamed on SSL, X509 and
ASN.1, but far from all.

Emulated TPM is not completely useless. Since the emulator runs as
root and the user has no insight into it you can have users be able
to use private keys that they can’t read or copy to other
machines. (caveat: I don’t know if the emulator is actually secure
in this mode, but it can be made to be)